CVE-2026-32604

CRITICAL LAB

Spinnaker vulnerable to RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths

Title source: cna

Description

Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifact types.

Exploits (1)

nomisec WORKING POC

by ZeroPathAI · poc

https://github.com/ZeroPathAI/spinnaker-poc

View Code ZIP pw:eip

References (4)

[X_Refsource_Confirm] https://github.com/spinnaker/spinnaker/security/advisories/GHSA-x3j7-7pgj-h87r

[X_Refsource_Misc] https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2

[X_Refsource_Misc] https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2

[X_Refsource_Misc] https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1

Scores

CVSS v3 9.9

EPSS 0.0008

EPSS Percentile 24.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull spinnaker-base:local

docker pull minio/minio:latest

docker pull minio/mc:latest

docker pull osixia/openldap:1.5.0

docker pull docker.elastic.co/elasticsearch/elasticsearch:7.17.15

https://github.com/ZeroPathAI/spinnaker-poc

View in Library

Details

CWE

CWE-20

Status published

Products (5)

io.spinnaker.clouddriver/clouddriver-artifacts-gitrepo 0 - 2026.0.1Maven

spinnaker/spinnaker < 2025.3.2

spinnaker/spinnaker < 2025.4.2

spinnaker/spinnaker < 2026.0.1

spinnaker/spinnaker < 2026.1.0

Published Apr 20, 2026

Tracked Since Apr 21, 2026